I’ve been looking into the use of eBay from an Eclipse RCP. The good news is that it works; at least, I’ve had some success. eBay provides a site for developers where you can get a software developer’s kit (SDK) that includes almost everything you need (more complete examples would be nice) including documentation, examples, and Java libraries. The libraries are Apache Axis-generated web services code (generated from a provided WSDL file). In addition to the SDK, eBay provides a “development sandbox” which is an complete “fake” eBay that works exactly like the “real” eBay with the exception that all the users and auction items are completely bogus (i.e. no articles or money changes hands). The idea is that you can test against the sandbox without losing too much sleep over mistakes. You can access the sandbox from your favourite web browser just as easily as you access the real site. However, to access the sandbox using the web services API, you need to register. When you register, you are given a set of credentials that you need to use with every eBay API call.
One curious thing that I’ve run into is the way that you login to eBay from an RCP application. In short… you don’t. While it is possible to provide a user name and password, it’s not supported by most calls. The SDK documentation states:
“As of the version 361 release, the use of a user name and password to authenticate the requester of a call is deprecated for most calls. Most calls that attempt user authentication with a user name and password will fail with an error. Applications must use authentication tokens for the authentication of these calls.”
To do just about anything interesting, you need to get a token. You can get a token in two ways and both require web access. If you’re building a web application, you need to redirect the user to an eBay-provided web page which will take care of user authentication and then redirect the user back to your site with the token embedded in the request (which you can then extract and use on your own API calls). If you’re building an RCP application, you still need to send the user to the eBay website to generate a token, but then you must use the APIs to query for the token. It’s all a little weird, but it makes sense (at least at some level). Although I haven’t found it explicitly stated (yet), it seems that the good people at eBay don’t want third party vendors to have access to their user’s eBay passwords (once you have the token, you can get the user name). eBay is just protecting itself: I imagine that it would only take a few malicious vendors hijacking user login information to taint eBay’s generally good reputation.
Unfortunately, while the documentation does seem to be pretty complete in explaining what needs to be done, I haven’t been able to find any really good examples. What you’re supposed to do is something along the following lines:
- Determine a “unique authentication identifier” for your application (called an “runame”). The runame is determined using an API call to eBay.
- Create a “special id” (sid) that is unique. The documentation recommends using a Universally Unique Identifier (UUID); Java 5 includes a
java.util.UUID
class to generate these (there are other implementations that will work with Java 1.4.x). - Open a browser and direct the user to the eBay login site with the runame and sid included as parameters.
- To sign in to the sandbox, the URL looks like this:
https://signin.sandbox.ebay.com/ws/eBayISAPI.dll?SignIn&runame=XXX&sid=XXX - When the user is done, you make an API call (FetchTokenCall) with the runame and sid as parameters to retrieve the token.
Once you have the token, you’re in business. In the process of logging in, the eBay site attempts to make sure that the user is aware of the inherent risks of using your software and makes them agree that they are indeed comfortable with the risk before actually creating the token.
In an Eclipse RCP, this is relatively straightforward to use (if not a little odd and painful from the user’s perspective):
- Open a browser that points to the login URL
- Open a modal dialog box with an “Ok” and “Cancel” button
- When the user clicks “Ok”, go and get the token. Once you have the token, you’re away!
- When the user clicks “Cancel”, bail out.
I’ve almost got it all working. The documentation says that in order to actually get the token, you need to provide the application’s user id and password in the call. I haven’t quite sorted out which user id and password that is. And, I can’t seem to find any help. Has anybody out there sorted this out yet?
When I do get this working, I’ll post some sample code.